EXCEL vs. GDPR software – can you handle GDPR using Excel?

EXCEL vs. GDPR software

Many organizations start their compliance with the General Data Protection Regulation (GDPR) in an Excel spreadsheet.

However, the complexity of the compliance process, constant changes, consent revokes, and the multiple organizational roles involved soon showed that Excel might not be the perfect solution for keeping the records of processing activities.

Post summary:

  • GDPR has changed the way companies manage personal data.
  •  Microsoft Excel is the starting point for most of them, but it fails as an operational tool for compliance.
  •  Are there any better solutions to help you manage GDPR processes more efficiently?

EXCEL vs. GDPR software

Since the GDPR came into force, most companies find themselves more or less compliant, but not entirely. They still need help with basic GDPR requirements.


Anyone involved in the compliance will tell you it is an ongoing process. You are never 100% compliant since even the tiniest human error could lead to a potential personal data breach. However, this doesn’t mean you shouldn’t strive to become compliant. 

Our GDPR research among DPOs from 29 different companies showed the majority still use Excel for keeping their records of processing activities. However, over 82% of them consider that Excel is not an optimal tool for managing the Records of processing activities.

chart-2-do-you-think-Excel-is-the-optimal-tool-for-Keeping-Records of processing activities -ROPA

Read the entire research here:

DPM Survey 2019: Operationalization of the GDPR processes in Organizations 

First compliance steps and GDPR challenges

Most Data Protection Officers turn to Microsoft Excel as their first choice for keeping records of processing activities and monitoring GDPR processes.

However, as digital transformation has revolutionized the entire business, chosen approach to compliance might be the key differentiator for your business – something your competition does not yet do in a fully transparent way.

If you are using Excel, maybe there are a few questions you should ask yourself:

  • What will happen after years of keeping records of processing activities in Excel?
  • Can you track all the alterations to the data sets made in Excel?
  • Can you apply any GDPR policies to your datasets?
  • Have you taken into consideration all the risks of keeping records of processing in Excel?

Companies that tend to keep personal data in Excel face enormous risks. Take a minute to ask yourself if this kind of exposure represents a significant cost in the long run and if it represents a risk you have not taken into account.

Although Microsoft Excel does have an important application in everyday business, primarily because of its familiarity and accessibility, it will not enhance your company’s performance to meet GDPR requirements.

In the long run, the issues will pile up, and then it is back to step one and rethinking how you monitor, supervise, administer, and orchestrate GDPR processes.

Consent and Preference Management tool

In their Market Guide for Consent and Preference Management, Gartner – the world’s leading research and advisory company, recommends implementing what they call a single source of truth.

A single source of truth is centralized software that will help your company manage all GDPR-related activities in a single place.

With GDPR fines going sky high, should companies stick to a tool like Excel, with very limited features for managing the compliance process?

If your company processes sensitive information or thousands of data subjects’ personal information, it is inevitable to move away from Excel to more specialized software solutions.  

[RELATED TOPIC: Sensitive personal data - special category under the GDPR]

Functionalities of the GDPR software vs. Excel

A GDPR software can untangle and set straight your compliance process and depending on a software it can provide the following functionalities:

The GDPR Article 30  addresses your responsibility to keep a record of your company’s processing activities. Some companies, especially B2C companies, manage and store massive amounts of data that are hard to manage

We have discussed this in more detail in our blog Records of processing activities- ROPA

When using Excel, there is also the difficulty of not being able to connect ROPA to different IT systems where you store data.

The solution you are looking for needs to provide these actions and also track the change history so that the Data Protection Officer has a clear overview of the data.

Most companies, small to big-sized, hire Third-party vendors for professional services and products. In this case, sharing personal data is unavoidable, and data controllers hold the risks.

To protect your business from potential risks, it is advised to incorporate appropriate technical and organizational measures. In this case, having software that centrally manages third parties and guides your partners through vendor management process workflow is worth gold.

Having real-time insight into the complete personal data lifecycle is highly improbable without the software solution, yet it is the first stepping stone in the GDPR compliance journey.

No Excel datasheet can ever track what is really going on with your GDPR activities. Some software can centrally manage notices and propagate them through all consent collection channels.

Do you have trouble identifying all personal data across IT systems?

The software should help you discover personal data in your systems (cloud or on-premise).

In the case of DPM Data Discovery, it connects to all relational databases of the company, making search inquiries, eliminating false positives, and identifying all personal information across multiple systems.

  • Works with structured and unstructured data
  • For all languages and all scripts
  • DPM Data Discovery connects to all standard databases, file share locations, SaaS applications, and other types of data sources
  • Works with all file types like text, Excel sheets, pdf, CVS, e-mails, log files, social network interactions, and others
  • Uses machine learning and rule-based approaches to facilitate accurate and timely classification of personal data across relational databases

Manual data discovery can exhaust a lot of in-house resources with very questionable results.

You need to provide the individual with information about their request without delay and within 30 days of receipt of the request.

You should look for the functionality that allows you to automate the flow of their requests, supervise it, and manage it in one central place.

Be transparent with what you do with personal data! Make sure individuals have access to their preferences and see the list of their consents so they can opt-out if they want to but also opt-in for other consents through one interface.

Maybe your ideal scenario doesn’t involve your customers opting out. However, that is part of the process of having healthy and relevant marketing contact lists.

There is no value in having a list full of contacts who do not find your content and offer valuable and relevant. In the long run, it is a very effective practice, like the process of decanting vine. It lets your contact lists breathe and shows real data based on real numbers.

92% of customers stated that they would be more willing to trust a company with their personal information if they had control over what information is collected about them.

The GDPR recommends data anonymization and pseudonymization as a solution for removing data from your systems. It is essential to know what data and when you need to remove or archive personal data. 

To understand the ins and outs of data removal, download our eBook:

Download e-book: GDPR compliant personal data removal

To avoid highly risky practices, you should understand how data processing activities in your company affect each data subject across systems. A lack of 360 overviews can lead to an inability to properly manage their rights and requests, such as the right to be forgotten.

Nonetheless, the GDPR recommends you give your clients (that is, data subjects) access to their data and the ability to change their preferences and make other corrections to their data.

Privacy Portal is a  self-service interface that helps data subjects manage their privacy settings and allows them to easily opt-in or opt-out of existing, previously given consent.

So why would you miss the opportunity to have a tailor-made serf-service interface that also increases the level of trust with your customers?

What message do you want to send to your clients and to the supervisory authority?

Managing the GDPR-related activities in the software will help you save time but also increase efficiency and let you focus on the actual everyday business.

Taking all the necessary measures that will make your company GDPR compliant will send the signal to the regulator that you do take GDPR and its meaning in business seriously. 

Excel vs. GDPR software – Conclusion

To sum up, using Excel can be a starting point for most companies. However, as personal data processing gets more and more complex, as more employees can access it and change the data, it can be really hard to tell what is right and what is wrong with your current records.


GDPR has changed the way companies deal with personal data, and drastic fines of up to €20 million should be enough to take action toward GDPR compliance in your company.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top